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Summary ; 

The  objective  of  this  paper  is  to  illustrate  how  an  auditor  may  use  statistical 
sampling  to  help  control  the  audit  risk.   The  focus  is  on  planning  a  signi- 
ficant area  of  audit  interest  such  as  the  revenue  cycle.   Both  statistical 
substantive  tests  of  details  and  any  required  statistical  tests  of  compliance 
may  be  designed  so  that  the  risk  of  failing  to  discover  a  material  monetary 
error  as  well  as  the  risk  of  overauditing  may  be  limited  to  a  tolerable  level. 
In  addition,  by  considering  the  extent  of  these  tests  at  several  levels  of 
planned  reliance  on  the  system  of  internal  accounting  control,  a  least  cost 
combination  can  be  selected. 
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Controlling  Audit  Risk 
Donald  Roberts 

Uncertainty  is  inherent  in  auditing.  Indeed,  the  general  purpose 
of  auditing  procedures  is  to  reduce  the  auditor's  uncertainty  to  a  tol- 
erable level.  This  is  expressed  in  Statement  on  Auditing  Standards, 
Number  1,  section  330.10  which  states: 

In  the  great  majority  of  cases,  the  auditor  finds 
it  necessary  to  rely  on  evidence  that  is  persuasive 
rather  than  convincing.  Both  the  individual  assertions 
in  financial  statements  and  the  overall  proposition 
that  the  financial  statements  ^s  a  whole  present  fair- 
ly, in  conformity  with  generaljly  accepted  accounting 
principles,  the  financial  position,  results  of  opera- 
tions, and  changes  in  financial,  position  are  of  such 
a  nature  that  even  an  experienced  auditor  is  seldom 
convinced  beyond  all  doubt  will  respect  to  all  aspects 
of  the  statements,  being  examined. 

The  risk,  faced  by  the  auditor  is  that  material  errors  or  irregu- 
larities, if  they  exist,  will  not  be  detected.  The  auditor  is  responsible 
for  controlling  this  risk  and  exercises  control  by  determining  the  nature, 
.extent,  and  timing  of  the  substantive  audit  procedures. 

Sampling  pertains  only  to  one  aspect  of  the  total  audit  risk.  This 
is  the  possibility  that  audit  procedures  restricted  to  a  sample  of  de- 
tails of  transactions,  or  balances  might  produce  results  that  differ  from 
those  produced  by  applying  the  producers  in  the  same  way  to  all  the  de- 
talls...  This  aspect,  knqvm  as  sampling  risk,  can  be  objectively  measured 
and  cp.ntrolled  when  statistical  sampling  is  used  to  determine  the  extent 
of  the  application  pf  audit  procedures.  Thus,  sampling  risk  is  a  func- 
tion ,pf  how  much  evideiitial^matter  the  auditor  obtains  during  the  audit. 

The  other  aspect  of  audit  risk  is  a  function  of  the  competence  of 
the  evidential  matter.  It  involves  the  possibility  that  applying  the 
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procedures  to  all  details  of  the  transactions  or  balances  would  fail  to 
detect  a  material  error  that  exists.  This  aspect  is  knovm  as  the  non- 
sampling  risk.  It  is  attributable  to  the  nature  of  the  audit  procedures, 
the  timing  of  the  procedures,  the  system  being  examined,  and  the  skill 
and  care  of  the  auditor. 

The  distinction  between  these  two  aspects  of  risk  is  recognized  in 
SAS  1,  section  320A.17,  which  states: 

The  coiDpetence  of  evidential  matter  as  referred  to 
in  the  third  standard  of  field  work  is  solely  a  matter 
of  auditing  judgment  that  is  not  comprehended  in  the 
statistical  design  and  evaluation  of  an  audit  sample. 
In  a  strict  sense,  the  statistical  evaluation  relates 
only  to  the  probability  that  items  having  certain  char- 
acteristics in  terms  of  monetary  amounts,  quantities, 
errors,  or  other  features  of  interest  will  be  included 
in  the  san^ale — not  the  auditor's  treatment  of  such 
items.  Consequently,  the  use  of  statistical  sampling 
does  not  directly  affect  the  auditor's  decisions  as  to 
the  auditing  procedures  to  be  performed,  the  accept- 
ability of  the  evidential  matter  obtained  with  respect 
to  individual  items  in  the  sample,  or  the  action  which 
might  be  taken  in  the  light  of  the  nature  and  cause  of 
particular  errors. 

Designing  an  audit  program  entails  exercising  control  over  each  as- 
pect of  audit  risk — both  sampling  risk  and  non-sampling  risk.  A  feature 
that  facilitates  this  is  that,  for  a  particular  test  of  details,  the 
audit  risk  is  approximately  equal  to  the  sum  of  the  sampling  risk  and 
the  non-sampling  risk. 

To  Illustrate,  suppose  that  a  particular  audit  procedure  had  a  prob- 
ability of  .85  of  finding  a  material  error,  given  it  existed,  when  applied 
to  all  details.  Further,  suppose  a  statistical  sample  had  a  probability 
of  .95  of  producing  the  same  result  as  applying  the  procedure  to  every 
detail.  Then,  the  probability  of  failing  to  detect  the  material  error  is 

1  -  (.85)  (.95)  =  .1925 
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whlch  is  approximately  equal  to  .15  (the  complement  of  .85)  plus  .05 
(the  complement  of  .95). 

The  objective  of  this  paper  is  to  illustrate  how  the  auditor  may 
use  statistical  sampling  to  help  control  his  audit  risk  by  maintaining 
the  sapmling  risk  at  a  tolerable  level.  The  focus  is  not  on  an  indi- 
vidual test  of  details  but  on  a  significant  area  of  audit  interest,  such 
as  the  revenue  cycle.  Proper  planning  allows  the  auditor  to  maintain 
the  sampling  risk  for  each  significant  area  at  a  tolerable  level.  The 
following  describes  one  way  this  can  be  done. 

.....  Some  guidance  for  controlling  audit  risk  is  provided  in  Section 
320B.35  where  the  following  formula  appears: 

^   ^   (1-C)   * 
Miile  this  formula  conceptually  expresses  the  relationship  between  audit 
risk  (1-R) ,  reliance  on  internal  control (C)  and  the  risk  level  for  sub- 
stantive tests  (1-S),  it  needs  to  be  modified  before  it  can  serve  as  an 
operational  tool  for  determining  the  appropriate  extent  of  substantive 
tests  of  details. 

The  paper's  objective  can  be  restated  in  the  following  way:  to 
make  the  above  formula  operational. 

Audit  Program  Design 

Conceptually,  the  auditor  selects  the  nature,  extent,  and  timing 
of  the  audit  procedures  to  reduce  the  audit  risk  to  a  tolerable  level. 
Following  the  formula  presented  in  Section  320B.35,  the  auditor  might 
calculate  the  overall  audit  risk  corresponding  to  each  account  balance 
or  class  of  transactions  as  follows: 
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Intemal  Accounting  Control: 

Likelihood  that  a  material  ,40   (1-C) 

monetary  error  could  occur 
and  remain  undetected 

Tests  of  details: 

Likelihood  of  non-sampling  risk    .10 


Sampling  risk  .20 


.30 


Analytic  review: 

Likelihood  of  failing  to  detect 

a  material  monetary  error  .50 

.15    (1-S) 

Combined  risk  level  (.40  x  .15)  .06    (1-R) 

The  present  discussion  is  limited  to  controlling  the  sampling  por- 
tion of  this  risk  when  statistical  tests  of  details  are  used.  Notice 
that  in  the  above  illustration,  the  combined  risk  level  of  .06  is  com- 
posed of  a  portion  attributable  to  sampling  error  (.04  =  ,40  x  .20  x  .50) 
and  a  portion  attributable  to  non-sampling  error  (.02  =  .40  x  .10  x  .50). 
The  question  this  paper  addresses  is  how  the  auditor  might  select  the 
extent  of  the  statistical  tests  of  details  to  maintain  the  sampling  por- 
tion at  a  tolerable  levels 

The  following  steps  constitute  a  way  of  determining  the  extent  of 
the  statistical  substaiitive  tests  of  details  pertaining  to  a  particular 
balance  or  class  of  transactions.  The  method  outlined  represents  a  way 
to  make  operational  tirie  conceptual  fonnula  presented  in  Section  320B.35. 

1.  Determine  monetary  error  materiality. 

2.  Determine  the  tolerable  overall  sampling  risk, 

3.  Determine  the  overall  risk  of  overauditing. 

4.  Determine  the  EKjnetary  error  materiality,  sampling 
risk,  and  riak  of  overauditing  for  each  statistical 
test. 

5.  Design  each  statistical  sample. 
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Materlallty.  Elliott  [1]  has  discussed  the  problem  of  designating 
a  measure  of  materiality  for  each  account  balance  or  class  of  transac- 
tions.  In  his  discussion,  Elliott  distinguishes  between  accounting 
materiality  and  auditing  materiality.  Auditing  materiality  is  related 
to,  the  sensitivity  of  the  audit  procedures  to  discovering  monetary 
errors  of  various  magnitudes  and,  therefore,  should  not  exceed  the 
amount  of  monetary  error  the  auditor  deems  material  for  the  financial 
stat.ei^ients  taken  as  a  whole. 

The  auditing  materiality  designated  for  each  account  balance  or 
cl^ss  o.f  transactions  represents  the  standard  the  auditor  employs  in 
.deBlgning  the  audit  tests.  The  key  question  is:  what  is  the  maximum 
foliar  amount  of  errors  that  would  be  acceptable  in  the  circumstances? 

After  determining  a  material  amount  for  each  account  balance  or 
class  of  transactions,  the  auditor  needs  to  allocate  this  amoxmt  between 
the  statistical  and  nonstatistical  tests.  One  way  to  accomplish  this 
is  to  answer  the  question:  what  is  the  outside  limit  on  the  amount  of 
monetary  error  that  could  remain  undetected  by  the  nonstatistical  tests? 

For  example,  the  following  tests  of  details  might  be  selected  to 
determine  whether  accounts  receivable  are  materially  overstated  with 
respect  to  existence,  recorded  amount,  collectibility,  and  period  cut- 
offs: 

1.  Request  confirmation  of  recorded  amounts. 

2.  Analyze  and  test  the  account  from  the  data  of  con- 
firmation to  the  closing  date.    - 

3.  Test  aging. 

4.  Test  subsequent  collections, 

5.  Test  period  cutoffs. 
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If  only  the  confirmation  requests  is  to  be  done  statistically,  the  auditor 
should  not  use  the  entire  inateriality  amount  to  determine  the  number  of 
requests  to  send.  Rather,  he  should  recognize  that  the  other  tests  of 
details  may  fail  to  detect  monetary  errors  below  some  magnitude.  What 
is  the  outside  limit?  A  precise  answer  is  probably  not  possible,  but 
with  careful  thoiglit  the  auditor  can  select  a  reasonable  amount. 

Sampling  risk.  To  determine  a  tolerable  level  for  the  overall 
sampling  risk  (B),  the  auditor  must  consider  (1)  the  tolerable  com- 
bined risk  level  attributed  to  sampling  (1-RS) ,  the  degree  of  reliance 
on  internal  accounting  controls  (C) ,  and  the  results  of  any  planned 
analytical  review  procedures.  If  the  results  of  analytical  review  pro- 
cedures may  be  expressed  as  the  likelihood  that  such  procedures  would 
detect  a  material  misstatement  if  such  existed  (SP) ,  then  the  following 
relationship  holds 

(1-RS) 
g  = ^^- '- 


(i-C) (1-SP) 


This  formula  is  siriilar  to  the  formula  presented  in  section  320B.35 
with  the  following  pro^d-sions: 

1.  (l-RS)  represents  the  comi^lned  risk  attributed  to 
sampling  a  partic  liar  account  balance  or  class  of 
transactions.   This  may  be  added  to  the  nonsampling 
risk  to  obtain  tha  audit  risk. 

2.  The  product  t3(l-SP)  represents  the  sampling  portion 
of  the  risk  Liiat  the  substantive  tests  (tests  of 
details  and  analytical  review)  would  fail  to  detect 
a  material  error  if  dtt  existed. 

3.  C  expresses  the  degree  of  reliance  on  "the  pertinent 
internal  accounting  controls  express'^d  on  a  scale 
between  zero  and  less  tnan  one.   In  this  case  the 
pertinent  controls  are  those  designed  to  prevent 

or  detect  monetary  errors  of  the  types  the  statis- 
tical tests  of  details  are  capable  of  detecting. 
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Using  this  formula,  the  auditor  first  selects  the  magnitude  of  the 
tolerable  ccinbined  risk  level  attributed  to  sampling  (1-RS). 

Second,  the  auditor  specifies  a  value  for  C.  This  value  is  based 
on  the  system  review  and  represents  a  conditional  evaluation  that  as- 
sumes satisfactory  compliance.  Ideally,  the  maximum  value  for  C  would 
be  equal  to  the  likelihood  that  the  set  of  pertinent  accounting  controls 
would  prevent  or  detect  a  material  amount  of  monetary  error  of  specified 
types  given  satisfactory  compliance.  Of  course,  the  auditor  can  always 
elect  to  use  a  lesser  value  for  C  than  the  maximum  possible. 

Instead  of  attempting  to  express  C  as  a  precise  number,  the 
auditor  might  use  a  range  of  values.  For  example,  a  range  from  0 
to  .3  could  correspond  to  no  reliance,  from  .3  to  .5  to  low  reliance, 
from  .5  to  ,7  to  moderate  reliance,  from  .7  to  .85  to  high  reliance, 
and  from  .85  to  1,0,  very  high  reliance.  In  each  case,  the  lower  value 
of  the  range  could  be  used  in  the  formula  to  calculate  S. 

As  a  third  step,  the  auditor  needs  to  assign  a  value  to  the  risk 
that  any  analytical  review  procedures  would  fail  to  detect  a  material 
monetary  error.  This  risk  (1-SP)  is  based  on  the  auditor's  judgment 
about  the  likelihood  that  the  analytical  review  procedures  would  detect 
a  material  mon,etary  error  of  the  types  tested  for  by  the  tests  of  de- 
tails. Little  research  has  been  done  to  give  guidance  to  the  auditor 
in  setting  this  amount,  but  many  well-informed  auditors  would  set  this 
risk  no  lower  than  .6  to  .7.  ^tore  experience  in  this  area  might  result 
in  significantly  lowering  this.   (See  Kinney  [2],  [3]) 

As  an  illustration,  consider  again  the  tests  of  details  pertaining 
to  the  accounts  receivable  balance.  Suppose  that  the  auditor  decides 
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that  the  tolerable  combined  risk  level  attributed  to  requesting  confir- 
mation from  a  saiiple  of  the  accounts  receivable  balances  should  be  ,05. 

To  ascertain  the  maximum  level  of  reliance,  the  auditor  needs  to 
identify  the  pertinent  controls.  These  are  those  controls  that  are  de- 
signed to  prevent  or  detect  the  following  types  of  errors  or  irregu- 
larities. 

-  SaleEi  invoice  is  inaccurate 

~  Salesi  invoive  is  improperly  recorded 

-  Cash  receipts  are  not  recorded 

-  Cash  receipts  are  recorded  incorrectly 

The  auditor's  evjluatlon  of  the  sets  of  internal  accounting  controls 
that  should  preveint  or  detect  these  types  of  errors  might  be  expressed 
either  on  a  numeiical  scale  from  0  to  1  or  on  a  qualitative  scale.  In 
either  case,  the  resulting  evaluation  should  express  the  auditor's  judg- 
ment concerning  the  effectiveness  of  the  controls  in  preventing  or  de- 
tecting a  material  amount  of  monetary  error  subject  to  the  condition 
that  compliance  vith  the  controls  is  satisfactory. 

For  illustrative  purposes,  suppose  that  the  auditor  decides  that 
the  controls  are  very  good  and  that  the  maximum  reliance  is  high  (cor- 
responding to,  say,  .7  on  a  numerical  scale).   To  use  this  degree  of 
reliance,  the  auditor  V70uld  require  confirming  evidence  from  tests  of 
compliance.  Deciding  what  degrere  of  reliance  to  use  in  planning  in- 
volves a  cost/benefit  analysis  which  will  be  illustrated  later. 

The  remaining  judgment  concerns  the  usefulness  of  the  planned 
analytical  review  procedures.  As  previously  suggested,  the  auditor 
currently  can  only  make  a  rough  determination  of  the  likelihood  that 
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the  analytical  rsvtew  procedures  pertaining  to  the  revenue  cycle  would 
detect  a  material  monetary  error  in  the  accounts  receivable  balance. 
Suppose  in  this  illustration  that  the  auditor  assigned  a  value  of  ,33 
to  this  likelihood. 

Combining  this  information  to  solve  for  the  required  level  of 
sampling  risk  when  the  loaxlinum  degree  of  reliance  is  employed  gives  the 
following  result 

•°^    .-=  .25 


(.3)(.67) 


If  the  auditor  should  decide  to  place  no  reliance  on  the  pertinent  in- 
ternal accounting  controls,  the  resulting  value  of  b  equals  .07.  Of 
course,  he  may  vary  the  degree  of  planned  reliance  anywhere  within  this 
range.  For  illustrative  purposes,  consideration  is  confined  here  to 
two  intermediate  cholces^ — ,10  corresponding  to  a  low  degree  of  reliance 
and  .15  corresponding  to  a  moderate  degree. 

Risk  of  overauditing.   In  addition  to  the  overall  sampling  risk, 
the  auditor  may  elect  to  control  the  risk  that  his  statistical  tests  of 
details  indicate  that  there  may  be  a  material  monetary  error  when,  in 
fact,  there  is  none.  Tliis  risk  is  temed  the  risk  of  overauditing  be- 
cause the  consequences  of  the  potential  presence  of  a  material  error 
leads  the  auditor  to  increase  the  audit  scope. 

How  can  the  auditor  select  an  appropriate  Jevel  for  this  risk?  A 
suggested  answer  is  to  consider  the  tj'pes  of  errors  or  irregularities 
that  can  be  diecovered  by  the  tests  and  determine, -in  advance,  the  ad- 
ditional audit  procedures  that  would  be  necessary  to  resolve  the  ques- 
tion of  potential  material  error.  The  additional  work  entails  additional 
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cos t — the  auditor  might  adopt  a  strategy  of  selecting  the  risk  of  over- 
auditing  to  maintain  the  expected  cost  at  a  specified  low  level.  The 
expected  cost  is  found  by  multiplying  the  risk  times  the  added  cost. 

In  the  illustration,  the  auditor  might  determine  that  should  the 
sample  evaluation  of  the  confirmation  requests  suggest  the  presence  of 
a  material  monetary  error,  he  would  conduct  an  expanded  test  of  subse- 
quent payments.   If  the  cost  of  this  additional  work  were  about  $2,000, 
the  auditor  might  select  a  value  of  .05  so  that  the  resulting  expected 
cost  would  be  $100  ($2000  x  .05  =  $100). 

Sample  design.   Step  4  is  only  required  when  there  is  more  than 
one  statistical  substantive  test  of  details  for  a  particular  account 
balance  or  class  of  transactions.  The  present  discussion  Is  limited 
to  the  case  where  a  single  statistical  substantive  test  is  being  plan- 
ned. 

Sample  design  encompasses  specifying  an  appropriate  audit  objective, 
identifying  the  sampling  unit  and  frame,  determining  the  sample  size, 
and  deciding  on  the  selection  method. 

Audit  objective — Each  statistical  substantive  test  has  both  general 
and  specific  objectives.  The  general  objective  may  be  either  deciding 
whether  the  amount  of  monetary  error  could  be  material  (decision  objec- 
tive), or  estimating  the  amount  of  monetary  error  (estimation  objective). 
The  choice  of  a  general  objective  depends  upon  (1)  the  extent  of  mone- 
tary error  the  auditor  anticipates  finding  and  (2)  the  costs  and  quality 
of  alternative  sources  of  additional  evidence  when_that  is  required. 

The  specific  objective  states  in  operational  terms  the  types  of 
monetary  error  to  be  examined  in  the  test.  For  example,  the  requests 
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for  conformation  of  accounts  receivable  would  provide  evidence  relative 
to  existence  and  accuracy  of  the  recorded  amounts — especially  errors  of 
overstatement. 

Sampling  unit  and  frame — The  frame  represents  the  listing  of  the 
sampling  units.  Most  applications  of  statistical  tests  of  balances  in- 
volve using  a  computer-based  listing  of  the  sampling  units. 

Determining  sample  size — Most  of  the  time  the  auditor  has  the  fol- 
lowing information  available  for  help  in  determining  the  appropriate 
sample  size:   (1)  the  recorded  amounts,  and  (2)  the  anticipated  propor- 
tion of  sampling  units  with  monetary  error. 

Based  on  this  limited  information,  the  auditor  needs  to  determine 
a  sample  size  that  will  achieve  the  specified  tolerable  sampling  risk 
(0)  for  a  specified  material  amount  (M)  and  the  tolerable  risk  of 
overauditing  (a). 

When  one  of  the  standard  statistical  estimators  is  used  (mean, 
difference,  ratio,  or  regression  estimator),  the  auditor  may  translate 
tfie  risk  requirements  (a,  $)  and  the  materiality  amount  (JO  into  a  de- 
sired standard  error  of  the  estimate.  This  relationship  is  expressed 


*        M 
SE(D)  = 


^6  ■*■  ^a/2 


where  SE(D)  represents  the  standard  error  of  the  estimated  total  dif- 
ference between  the  audited  amount  and  the  recorded  amount,  z  ,_ 

a/Z 

represents  the  normal  factor  corresponding  to  a  risk  of  overauditing 
equal  to  a,  and  z  represents  the  normal  factor  corresponding  to  a 
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sampling  risk  of  B.  In  turn,  the  desired  standard  error  can  be  used 
directly  in  calculation  of  the  appropriate  sample  size. 

When  the  auditor  elects  to  use  a  pps  sample  to  obtain  a  useful 
upper  bound  for  the  monetary  error,  the  specified  risks  (a,  B)  and  the 
material  amount  (M)  may  be  used  directly  in  a  table  look-up  to  obtain 
the  appropriate  sample  size. 

Continuing  the  example,  the  auditor  would  determine  the  number  of 
conflinnations  to  request.  He  might  consider  the  sample  size  corresponding 
to  several  values  of  the  tolerable  satcpling  risk  (6) — each  choice  re- 
flecting a  different  degree  of  planned  reliance  on  the  pertinent  internal 
accounting  controls.  The  resulting  sample  sizes  might  look  as  follows: 

Tolerable  sampling  risk      .07     ,10     ,15     ,25 
sample  size  478     374     342     239 

The  decision  concerning  which  of  these  to  use  is  made  after  the  required 

compliance  tests  are  tentatively  planned. 

Compliance  Tests 

The  auditor's  compliance  tests  of  pertinent  procedures  are  designed 
to  ascertain  whether  the  prelimirary  evaluation  is  warranted.  Such  tests 
are  required  only  when  the  auditor  plans  to  rely  on  the  accounting  con- 
trols. Each  substantive  test  of  details  can  be  used  to  determine  whether 
certain  types  of  monetary  errors  have  occurred.  The  pertinent  procedures 
are  those  that  are  in  use  to  prevent  or  detect  these  types  of  monetary 
error.   Corresponding  to  each  type  cf  monetary  error,  the  auditor  has 
identified  the  pertinent  procedure  or  set  of  pertinent  procedures.   For 
those  procedures  that  leave  an  audit  trail  of  evidence,  the  auditor  may 
use  a  statistical  sample  to  test  compliance. 
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The  following  steps  represent  a  method  of  determining  the  extent 
of  the  statistical  compliance  tests. 

1.  Determine  the  audit  objectives, 

2.  Determine  the  overall  risk  of  unwarranted  reliance  corres- 
ponding to  each  planned  substantive  test. 

3.  Determine  the  overall  risk  of  overauditing  corresponding 
to  each  planned  substantive  test. 

A.  Determine  the  risks  of  imwarranted  reliance  and  over- 
auditing  for  each  individual  compliance  test. 

5.  Design  each  statistical  compliance  test. 

Audit  objectives.   The  audit  objective  of  a  statistical  compliance 
test  is  to  decide  whether  the  deviation  from  pertinent  procedures  are  too 
great  to  justify  the  planned  reliance.  The  rate  of  compliance  deviation 
determines  the  potential  for  monetary  error.  Of  course,  not  all  instances 
of  procedural  deviations  will  result  in  monetary  errors,  but  the  oppor- 
tunity for  such  error  increases  as  the  number  of  procedural  deviations 
increase.  The  range  of  satisfactory  compliance  might  correspond  to  those 
rates  of  compliance  deviation  for  which  the  expected  potential  monetary 
error  is  less  than  a  material  amount.  Equivalently,  the  auditor  might 
define  a  threshold  rate  for  unsatisfactory  compliance  as  that  rate  at 
which  the  expected  potential  monetary  error  equals  a  material  amount. 

As  suggested  here,  the  threshold  rate  in  dollar  terms  would  equal 
the  material  amount  M  divided  by  the  total  recorded  amount  of  the  trans- 
actions Y.   For  example,  if  $20,000  is  a  material  amount  for  10,000 
purchase  transactions  totalling  $2,000,000,  the  threshold  rate  in  dollar 
terms  would  be  .01  (■-  ^*   nno^*  ^^'^  wotild  the  threshold  rate  be  in 
terms  of  the  number  of  transactions?  The  same  .01  applied  to  the  10,000 
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transactions  would  suggest  that  100  transactions  at  an  average  value  of 
$200  could  constitute  the  expected  potential  monetary  error  provided  all 
transactions  were  equally  likely  to  contain  a  monetary  error  and  pro- 
vided that  the  type  of  error  under  consideration  could  lead  to  the  trans- 
action being  overstated  by  the  recorded  amount.  A  higher  rate  would  be 
used  when  the  auditor  can  determine  that  when  a  monetary  error  occurs, 
the  average  magnitude  of  such  an  error  is  less  than  the  total  trans- 
action amount. 

The  statistical  objectives,  then,  of  a  statistical  compliance  test 
is  to  decide  whether  the  rate  of  compliance  deviations  from  a  prescribed 
procedure  or  set  of  procedures  could  be  as  large  as  the  determined 
threshold  rate  (P  ) . 

Some  modification  of  this  is  appropriate  when  not  all  the  pertinent 
procedures  comprising  a  set  are  to  be  tested  statistically.  This  may 
occur,  for  example,  when  some  procedures  within  the  set  are  designed  to 
prevent  the  error  from  occurring  (prevention  controls)  while  others  are 
designed  to  detect  any  errors  that  occur  (detection  controls).   In  cases 
where  the  prevention  controls  are  tested  through  inquiry  and  observation 
and  the  detection  controls  are  tested  statistically,  the  threshold  rate 
(P  )  for  the  statistical  tests  may  be  adjusted  upwards  to  reflect  the 
auditor's  judgment  concerning  the  likelihood  that  the  prevention  con- 
trols allow  a  monetary  error.  For  example,  if  the  threshold  rate  for 
the  controls  considered  together  is  .05,  and  the  auditor's  likelihood 
that  the  prevention  controls  would  allow  a  monetary  error  to  occur  is 
.25,  then  P  may  be  set  at  .20  (.25  x  .20  =  .05). 
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Ovisrall  risk  of  unwarranted  rv^llance.  The  most  important  risk  the 
auditor  faces  Is  the  risk  of  unwarrantad  reliance.  This  means  that  the 
auditor  decides  that  compliance  is  satisfactory  when  in  fact  it  is  less 
■than  satisfactory.  The  consequence  of  this  mistake  is  that  the  substan- 
tive te:Jts  of  details  are  conducted  at  a  greater  degree  of  reliamce  than 
they  should  be.  In  particoiar,  if  the  auditor  planned  a  moderate  degree 
of  reliance,  u$ing  a  sampling  risk  of  .15,  when  in  fact,  had  he  known 
that  coinpliance  was  not  satis factoiry,  he  would  have  used  a  sampling  risk 
of  .07,  he  incurs  ad ditlpnal  risk  of  not  finding  a  material  error  when 
it  exists.  Thus,  unwarranted  reliance  leads  to  Increased  risk  of  not 
finding  a  material  error. 

Th2  auditor  can  limit  the  expected  amount  of  this  increased  sampling 
risk  by  making  an  appropriate  selection  of  the  risk  of  unwarranted  re- 
liance. The  expected  increase  in  sampling  risk  equals  the  product  of  the 
risk  of  unwarranted  reliance  timee  the  difference  between  the  sampling 
risk  at  the  planned  degree  of  reliance  and  the  sampling  risk  corresponding 
to  minlnal  reliance.  For  example,  in  the  above  illustration,  if  the  ,,„ 
auditor  uses  a  risk  of  un-rarranted  reliance  equal  to  .10,  then  the  ex- 
pected Increase  is  somewhat  less  than. .01  (.10  x  (.15  -  .07)). 

Tha. auditor  can  decide  to  limit  the  expected  increase  in  sampling 
risk  to  aay  desired  level.  To  illustrate,  suppose  the  level  is  set  at 
.01  and.  that  the  auditor,  as  previously  described,  is  considering  the 
followlag  levels  of  sampling  risk  for  requesting  confirmation  from  a 
sample  of  the  accounts  receivable  balances: 
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Degree  of  Reliance  Tolerable  Risk  of 

on  Internal  Control        Sampling  Risk    Unwarranted  Reliance 


None 

.07 

Low 

.10 

.33 

Moderate 

.15 

.12 

High 

.25 

.05 

Corresponding  to  each  planned  degree  of  reliance,  the  risk  of  unwarranted 
reliance  Is  selected  so  that  the  difference  between  the  sampling  risk  at 
that  level  and  the  sampling  risk  at  no  reliance  multiplied  times  the 
risk  of  unwarranted  reliance  does  not  exceed  .01  ((.10  -  .7)  x  .33  *•  01, 
(.15  -  .07)  X  .12  =  .01,  (.25  -  .07)  x  .05  =  .01). 

The  suggested  way  to  select  the  risk  of  unwarranted  reliance  may 
result  in  values  much  higher  than  the  examples  cited  in  section  320B.24. 
Nevertheless,  the  suggested  method  does  not  contradict  the  spirit  of 
SAS  no.  1.   In  SAS  no.  1,  the  auditor  is  advised  to  maintain  the  risk 
of  unwarranted  reliance  at  a  high  level  and  adjust  the  threshold  rate 
according  to  the  degree  of  planned  reliance  on  pertinent  inteimal  ac- 
counting controls.  The  suggested  method  described  here  allows  the  risk 
to  vary  with  the  degree  of  planned  reliance  and  maintains  the  threshold 
rate  at  a  fixed  value. 

Overall  risk  of  overauditlng.   Compliance  tests  may  lead  to  over- 
auditing.  When  the  auditor  decides  that  compliance  with  some  pertinent 
accounting  control  procedure  may  not  be  satisfactory,  there  must  be  a 
change  in  the  substantive  audit  program.   Incorrectly  deciding  that  com- 
pliance is  unsatisfactory  adds  unnecessarily  to  the  audit  expense.  The 
auditor  may  elect  to  control  this  risk  by  specifying  the  chance  that 
the  fraction  of  compliance  deviations  In  his  sample  should  exceed  the 
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threshold  level  when  the  actual  rate  of  compliance  deviations  is  at 
some  low  satisfactory  amount  (P^). 

To  illustrate,  suppose  the  threshold  rate  P  =  .05.  Then  the 
auditor  might  select  P^  =  .01  to  represent  a  lev?  rate  corresponding  to 
satisfactory  compliance.  When  the  actual  rate  equals  .01,  he  vould  like 
the  sample  to  indicate  satisfactory  compliance.  How  can  a  tolerable 
risk  level  be  determined?  One  way  woiild  be  to  balance  the  expected  in- 
crease in  audit  expense  caused  by  changing  the  audit  program  and  the  cost 
of  additional  observations  in  the  compliance  test.   For  example,  suppose 
the  tolerable  sampling  risk  is  .12  at  a  threshold  rate  of  .05.  If  the 
auditor  anticipates  no  compliance  deviations,  a  sample  of  41  would  meet 
the  sampling  risk  objective,  but  such  a  sample  size  would  entail  a  risk 
of  overauditing  of  .34  when  the  rate  of  compliance  deviation  is  .01. 
Increasing  the  sample  size  to  72  maintains  the  sampling  risk  at  .12, 
but  decreases  the  risk  of  overauditing  to  .16  by  allowing  the  auditor 
to  conclude  that  compliance  is  satisfactory  when  either  0  or  1  occur- 
rences is  observed. 

Is  the  Increased  sample  size  justified?  The  decrease  in  risk  is 
,18  (.34  -  .16)  and  hence  the  expected  cost  difference  is  .18  times  the 
cost  of  changing  the  audit  program.  This  must  be  compared  to  the  cost 
of  the  31  additional  observations.  For  example,  in  the  accounts  re- 
ceivable example,  a  sample  of  342  was  judged  adequate  for  a  moderate 
degree  of  reliance  while  a  sample  of  478  was  required  for  no  reliance. 
Suppose  the  cost  of  auditing  a  confirmation  request  that  was  returned 
is  $2,  the  cost  of  auditing  a  request  that  was  not  returned  is  $5,  and 
the  auditor  anticipates  that  about  30  percent  of  the  requests  will  not 
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be  returned.  Then  the  expected  cost  of  478  requests  is  $1386,  the 
expected  cost  of  342  requests  Is  $992,  and  the  difference  is  $394.  This 
difference  multiplied  by  .18  equals  $71,  the  expected  cost  of  overaudit- 
ing.  If  this  cost  exceeds  the  cost  of  31  additional  observations  in 
the  compliance  test,  the  larger  sample  size  should  be  used.   The  next 
sample  size  to  consider  is  100  which  allows  0,  1,  or  2  occurrences  to 
conclude  that  compliance  is  satisfactory  at  a  .12  sampling  risk.  The 
risk  of  overauditing  reduces  to  .08  from  16.  The  expected  cost  differ- 
ence is  then  .08  x  $71  =  $6.  If  the  28  additional  observations  cost 
more  than  $6,  this  increase  in  sample  size  is  not  justified. 

Individual  tests.  Having  decided  on  a  tolerable  risk  of  unwarranted 
reliance  pertaining  to  the  statistical  tests  of  details  of  a  particular 
account  balance  or  class  of  transactions,  the  auditor  needs  to  plan  each 
individual  compliance  test.  Each  individual  test  consists  of  examining 
evidence  of  compliance  with  a  procedure  or  set  of  procedures  designed 
to  prevent  or  detect  a  particular  type  of  monetary  error, 

A  useful  decision  rule  for  the  auditor  is  to  decide  compliance  is 
satisfactory  when  each  statistical  test  of  compliance  indicates  that 
the  rate  of  compliance  deviation  is  below  the  threshold  rate.   Follow- 
ing this  decision  procedure,  the  auditor  would  set  the  tolerable  risk 
level  of  unwarranted  reliance  for  each  test  equal  to  the  tolerable 
overall  risk.   The  combined  risk  of  unwarranted  reliance  would  then 
equal  the  common  value  when  the  rate  of  compliance  deviation  of  one 
of  the  sets  equals  the  threshold  rate.   It  would,  of  course,  be  much 
less  when  the  rates  of  two  or  more  sets  equal  the  threshold  rates. 


-19- 

The  auditor  may  choose  to  control  the  risk  of  overauditing  for 
each  individual  test  to  maintain  the  overall  risk  at  a  prescribed  level. 
The  overall  risk  of  overauditing  is  the  sum  of  the  individual  risks  when 
the  auditor  decides  that  compliance  is  satisfactory  only  when  each  rate 
of  compliance  deviation  is  below  its  threshold  rate. 

When  there  is  a  set  of  several  accounting  control  procedures  that 
together  contribute  to  the  prevention  and  detection  of  a  particular  type 
of  monetary  error,  the  auditor  needs  to  examine  the  set  as  a  whole.   In 
such  cases,  it  is  convenient  to  separate  the  set  into  two  subsets,  one 
subset  consisting  of  those  control  procedures  that  are  expected  to 
prevent  the  error  and  the  other  consisting  of  those  procedures  that 
are  expected  to  detect  any  error  made. 

When  a  statistical  sample  is  used  to  test  compliance  with  both 
subsets,  the  auditor  may  define  an  occurrence  as  a  lack  of  evidence  of 
compliance  with  both  subsets  of  procedures — in  other  words,  test  the 
whole  set  as  a  single  procedure.   Frequently,  the  prevention  controls 
cannot  be  tested  statistically  because,  for  example,  they  depend  on 
separation  of  duties  or  using  prenumbered  forms  that  are  independently 
checked.   In  such  cases,  the  threshold  rate  for  the  statistical  test 
of  the  detection  procedures  can  be  adjusted  upward  provided  the  auditor 
can  judgmentally  determine  the  likelihood  that  the  prevention  controls 
alone  would  allow  a  monetary  error  to  occur.   For  example,  a  threshold 
rate  of  .05  could  be  raised  to  .20  if  the  likelihood  that  the  prevention 
controls  permit  a  monetary  error  on  any  transaction  is  judged  to  be 
about  .25. 
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When  there  are  several  pertinent  procedures  that  constitute  the 
set  of  prevention  controls  or  the  set  of  detection  controls,  the  re- 
quirement to  evaluate  each  set  as  a  single  procedure  means  that  an  oc- 
currence should  be  defined  as  evidence  of  non-compliance  with  any  of 
the  procedures  belonging  to  the  set. 

Sample  design*  The  sample  design  consists  of  (1)  defining  the 
attribute  to  be  tested,  (2)  specifying  the  sampling  unit  and  frame, 
(3)  determining  the  appropriate  sample  size  and  (4)  specifying  the 
selection  method.  While  the  test  of  pertinent  control  or  set  of  con- 
trols is  planned  separately,  the  field  work  may  be  arranged  to  accom- 
plish several  compliance  tests  with  the  same  sample.  Moreover, 
combining  the  compliance  tests  with  substantive  tests  of  transactions 
(known  as  a  dual-purpose  test)  may  be  considered. 

The  auditor  may  determine  the  required  sample  size  corresponding 
to  each  considered  degree  of  reliance.   For  example,  if  the  considered 
risks  of  unwarranted  reliance  are  .05,  .12,  and  ,33,  the  required  sample 
size  might  equal  150,  105  or  55  respectively. 

Trade-off  etnalysis.  When  the  auditor  has  information  pertaining 
to  the  costs  of  his  observations,  he  can  evaluate  the  alternative  com- 
binations to  determine  the  one  that  has  the  least  total  cost. 

In  the  example,  the  following  represents  the  alternative  combina- 
tions : 

Degree  of  Reliance 
None Low tfoderate High 

Confirmation  requests    478       374         342         239 
Compliance  test  0        55  105  150 
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Suppose,  as  before,  that  the  cost  of  auditing  a  returned  confirma- 
tion is  $2  while  the  cost  of  a  request  not  returned  is  $5.  Anticipating 
from  past  experience  that  30  percent  of  the  requests  will  not  be  re- 
turned, the  auditor  can  calculate  the  expected  cost  of  each  of  the 
alternative  sample  sizes  as  follows: 


Confirmation  requests        478       374       342      239 
Expected  cost  $1386     $1085     $992      $693 


The  following  then  represents  the  incremental  costs,  and  incremental 

sample  size  for  the  compliance  test. 

Compliance  Test 
Incremental  Cost  Incremsntal  Sample  Size 

$301  55 

$394  105 

$693  150 

As  long  as  the  cost  cf  the  compliance  test  is  less  than  $4.62  per  obser- 
vation, the  least  cost  alternative  is  to  use  the  high  degree  of  reliance. 
For  example,  if  the  cost  of  each  observation  in  the  compliance  test  is 
$1,  the  total  cost  of  that  alternative  is  only  $843  compared  to  $1097 
for  moderate  reliance,  $1140  for  low  reliance  and  $1386  for  no  reliance. 

Summary 

The  analysis  of  risk  described  in  this  paper  permits  the  auditor 
to  design  his  preliminary  audit  program  from  the  inside  out.  He  begins 
by  considering  a  particular  area  such  as  the  revenue  cycle  and  selects 
the  extent  of  each  statistical  substantive  test  of  details  in  order  to 
achieve  an  overall  tolerable  risk  level.   Similarly,  he  selects  the 
extent  of  each  statistical  compliance  test  so  that  the  overall  risk  of 
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iinwarranted  reliance  maintains  the  expected  increase  in  sampling  risk 
at  a  tolerable  level.  For  both  types  of  tests  the  auditor  may  also 
consider  the  risk  of  overauditing  in  selecting  the  extent  of  the  statis- 
tical tests.  Finally,  by  considering  the  extent  of  the  tests — both 
substartive  and  compliance—at  several  possible  levels  of  planned  re- 
liance on  the  system  of  internal  accounting  control,  the  auditor  can 
select  a  combination  that  has  the  least  cost. 
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